1
PRODUCT BULLETIN
Bulletin Date
March, 2017
Applicable to All Regions
Effective Change Date
April, 2017
Introduction
Today’s digital era is challenging workforce productivity, from the 9-to-5
workdays to means of accessing and digesting data. More importantly, access to
data and applications across different mediums, mobile to cloud, are redefining
traditional IT processes and policies. Pulse Secure has made it easier to secure
your data center, provide mobile access and enable new cloud services with our
integrated Secure Access Solution. This Product Bulletin describes new features
and functions available in Pulse Connect Secure 8.3r1, Pulse Policy Secure 5.4r1,
and the Pulse Secure desktop client 5.3r1.
These new releases from Pulse Secure enable network administrators to expand
their secure access solution support for network performance and security.
Aside from the enhanced IPv6 and HTML5 support, these releases have improved
visibility across remote and local networks along with other enhanced
integrations like expanding the ecosystems with market leading Next Generation
Firewall from Fortinet. With Pulse Workspace for smartphones and tablets,
enterprises now have a simple way to eliminate data-at-rest risks while
continuing to support any mobile app so that their end users can access
collaboration apps on the go - from campus to the road. Likewise, streamlined
wizards have been developed for both Cloud Secure feature in Connect Secure
and Policy Secure so that popular use cases can be deployed with best practices
guidelines. For the end-user, SSO support for On-Premise users is now available
along with VPN only Access (Windows) for improved access.
2
What’s New
Common Features for Pulse Connect Secure 8.3R1 & Pulse Policy Secure 5.4R1.
Key Feature Benefit
Virtual License Server
In License server deployments, customers can deploy the License server as a virtual machine
to support fully virtualized environments. For details, refer to the License Management Guide.
Minimum client Version Enforcement
(Windows and Mac)
Admins can now enforce that end users have an updated version of the Pulse client before
access is allowed (See Pulse Client Section for details).
Management personality on PSA7000 Pulse One Appliance is now available onsite. This is only available in Pulse PSA7000. Please
contact support for more information.
HSTS header Support
PCS and PPS set HSTS header for all 200 OK HTTP response.
Pulse Connect Secure 8.3r1
Highlighted Features in this Release
Figure 1: Enable Virtual License Server
Key Feature Benefit
Certificate Based Active-Sync with
Kerberos Constrained Delegation
Provides secure, transparent access to Exchange ActiveSync by acting as a Kerberos Proxy that
translates certificate based authentication to Kerberos tickets using Kerberos Constrained Delegation,
without requiring the Kerberos Key Distribution Center (KDC) to be exposed to the Internet.
IPv6 Enhancements
ESP Tunnel Mode now supports IPv6 with Pulse client bundled with 8.3R1 and later. Only 6-in-6 mode
is supported.
Administrators can now create layer-3 Access Control Lists (ACLs) using IPv6 addresses.
IPv6 addresses can be configured for VLAN interfaces
Split tunneling support for IPv6 (see Pulse Client section for details).
Rewriter support for IPv6. This includes: Basic Web ACL Policy, Selective Re-Writing, Custom Headers,
Web Proxy, Form Post SSO Support, Basic Filter Policy, HTML rewriting, JavaScript rewriting and CSS
rewriting. Additional items will be added in a phased manner in following releases.
Host-checker is qualified to work with IPv6 addresses, except for downloading updates from non-
Pulse Secure servers that may still on IPv4.
SSL - SNI Extension support
PCS now supports the use of Server Name Indication (SNI) SSL extension to communicate with backed
servers that require SNI. SNI is typically enabled on backend servers to support multiple hostnames on
the same IP address without having to resort to wildcard certificates.
SNI support is enabled for rewriter, PTP, SAML, JSAM, WSAM, Pulse One, license server, CRL,
ActiveSync, Syslog, and SCEP. OCSP, LDAPS, PushConfig are not supported.
Granular control over L4 PerAppVPN
functionality on iOS devices
Prior to 8.3R1 versions, we could only define the allowed destinations. Now, admins have granular
control over the destination list (IP/FQDN) defined for the L4 PerAppVPN functionality on iOS devices.
For example, an admin can now deny specific hosts (finance.xyz.net) and allow other destinations in
the domain (*.xyz.net) or vice versa. In addition, a default Allow or Deny rule can also be configured
for Non-defined WSAM Destinations.
Note: This configuration is available within admin GUI under the user Role -> SAM ->Applications->
WSAM destinations -> Add Server.
Citrix StoreFront support
Customers can now use CTS client as well as WSAM to access Citrix StoreFront.
3
Key Feature Benefit
VLAN for HTML5
VLANs can now be configured for HTML5 based access to datacenter resources
SHA2, AES256 and DH14 in IKEv2 Phase
1
Customers can now use these stronger ciphers in the IKEv2 phase 1 when using IPSEC mode.
Option for NLA classic behavior
Newer Microsoft OS (e.g. Win 10) require NLA, which was enabled by default for WTS in earlier
releases that leads to double authentication prompts (NLA and RDP) after 8.1R7. While NLA will
continue to be enabled by default, admin now has the option to switch to classic (pre-8.1R7) behavior
at a role and bookmark level.
Figure 2: Certificate Based Active-Sync with Kerberos Constrained Delegation
Figure 3: Layer-3 Access Control Lists (ACLs) Using IPv6 Addresses
4
Cloud Secure specific features in Pulse Connect Secure 8.3r1
Key Feature Benefit
Cloud SSO support for On-Premise users
(PPS Integration)
Seamless access to cloud applications (with SSO and Compliance checks), from outside the network,
as well as inside the network.
PWS Integration
Cloud Secure can enforce detailed compliance checks on mobile devices managed by PWS, before
allowing access to cloud resources.
ADFS Impersonation
ADFS Impersonation is a deployment mode for Cloud Secure where Cloud Secure may be introduced
for ‘Remote’ devices, where ‘Compliance’ based access is considered critical for access to cloud
resources. ADFS in this scenario may continue to provide SSO for internal devices, though it will not
be able to guarantee device compliance for these devices.
Pulse One Visibility
One management plane to see devices, users & applications across all Pulse portfolio.
Setup Wizard Cloud Secure now introduces a click through Setup wizard, which makes setting up Cloud Secure for
Secure access to cloud resources, a breeze!
SiteMinder integration
We now support Cloud Secure deployment with SiteMinder, in a Federated configuration.
Figure 4: Cloud Secure wizard: Configuration Screen
5
Figure 5: Allows to change the entity ID on the UI for impersonating the ADFS
Figure 6: In PPS, choice to configure PWS as MDM server
6
Figure 7: In PWS, Config Option to Use Wifi Profile for Compliance Check
Figure 8: In PCS enable usage of Federation sessions for providing On Premise access
7
Pulse Policy Secure 5.4r1
Highlighted Features in this Release
Key Feature Benefit
• Light-touch Deployment on Pulse
Policy Secure (PPS)
• Quick NAC deployment through use cases wizards
• Leverage existing PCS configuration for quick PPS deployment
• Reduce operational tasks
• IPv6 – 802.1x Authentication
• Extending 802.1x Authentication support over both IPv4 and IPv6 provides flexibility
for customers to configure and leverage similar authenticated Network access
policies on any type of network.
• Fortinet Identity-based Integration
via Syslog
• Extending NAC/BYOD (Bring Your Own Device) to perimeter defense
• Secure access for remote connections to local protected resources
• L2/L3 bridging for Agentless session
• Provide secure access for BYOD devices via port-based security, role-based access
and compliance check with agentless session.
• Cloud SSO support for On-Premises
users
• Provide Cloud Apps SSO to On-Premise users without need of establishing a VPN
tunnel.
• Consume a single user license to access cloud applications
• Pulse Workspace MDM integration
• Seamless mobility by providing Compliance check for On-Premise mobile devices
connecting to the corporate WiFi network via PPS.
• Machine Certificate validation via
Host Checker
• Enhance the machine certificate policy validation (by validating the private key) to
avoid security issues (Ex: Exporting certificates from machine and importing on
other)
• Endpoint Visibility for remote
connection via PCS
• Profiler offers a single pane of glass view across local and remote users.
• Consistent role mapping can be done based on device profiles across local and
remote users.
• SNMP discovery for additional
switches/WLCs and Device discovery
using SNMP trap
• Provide visibility for statically configured IP devices connected to the wired switches -
Cisco, HP, Juniper, D-Link, Foundry, Nortel and Wireless Controllers - Aruba, Cisco,
Ruckus, Trapeze.
• SNMP trap support enables administrator to get a real-time device status update
when it connects/disconnects from the network.
• Profile endpoints using CDP/LLDP,
WMI, MDM integration, RSPAN DHCP
traffic
• A Quick device profiling method by fetching CDP/LLDP Information from the
configured switches and classify the devices right away as they found.
• Enable administrator to profile Windows endpoints with reliable data.
• Enable administrator to leverage MDM attributes to classify mobile devices.
• RSPAN DHCP fingerprinting provides flexibility and ease of use for administrator to
profile endpoints.
• New Device Discovery Reporting and
Dashboard with advanced filters and
historical data
• A complete visibility of all devices (local or remote) in the network and search for any
devices Administrator is looking for.
• Visual representation of active sessions for remote and on-premises connections.
• The dashboard with widgets and charts to understand the state of the system as well
as to monitor day to day changes.
8
Figure 9: Light-Touch PPS Deployment
Figure 10: New Profiler Dashboard
9
Figure 11: IPv6 support for 802.1x Authentication
Figure 12: Remote (VPN) and Onsite (NAC) Connections
10
Figure 13: RSPAN (DHCP), WMI, MDM Support
Figure 14: CDP/LLDP Support
11
Pulse Secure Desktop Client 5.3r1
Highlighted Features in this Release
Key Feature Benefit
• IPv6 Split Tunneling (Windows & Mac)
• Split Tunneling allows enterprises to optimize traffic routing by letting enterprise data flow
through the enterprise gateway, and all other directly from user’s device to the internet.
This ability is now also supported for IPv6 destinations.
• IPv6 802.1x Authentication (Windows
& Mac)
• Extend 802.1x Auth support over both IPv4 and IPv6 offers customers the ability to apply
network access policies on any type of network
• User Certificate Authentication on
Linux (Linux)
• User Certificate authentication allows secure and seamless user experience when setting
up VPN tunnel. This ability is now also available with our Pulse Desktop Linux client.
• Support for Debian Linux (Linux)
• In spirit of providing broad platform support for our customers, we have now added
Debian Linux as a validated platform, to an existing (and impressive) list if supported Linux
platforms.
• Minimum Client version enforcement
(Windows & Mac)
• From a compliance standpoint, it is critical for our customers to have the ability of
enforcing all their users, to be on a select version of the Pulse Secure client, which is
known to have fixed the latest security bugs. This feature lets IT mandate such a client
version, and force all users to upgrade to it, before they may be allowed access to
corporate resources.
• VPN only Access (Windows)
• VPN only access is an extension to our existing ‘Always ON’ VPN and adds flexibility to the
function, by letting users be in control of when they want to access the VPN. When a user
is not connected to the VPN, all network access is blocked. When a user needs to access
something on the network, they must sign into the VPN, and in successfully doing so, get
the network access allowed by IT.
• Windows 10 Redstone support
(Windows)
• Complete support for Windows 10 Redstone.
Figure 15: Minimum Client Version Enforcement
12
Figure 16: IPv6 Split Tunneling
Figure 17: VPN Only Access
13
Learn More Resources
• Pulse Connect Secure datasheet
• Pulse Policy Secure datasheet
• Pulse Cloud Secure product brief
www.pulsesecure.net
About Pulse Secure, LLC Pulse Secure, LLC is a leading provider of access and mobile
security solutions to both enterprises and service providers.
Enterprises from every vertical and of all sizes utilize Pulse Secure’s
Virtual Private Network (VPN), Network Access Control ( NAC) and
mobile security products to enable secure end-user mobility in
their organizations. Pulse Secure’s mission is to provide integrated
enterprise system solutions that empower business productivity
through seamless mobility.
Corporate and Sales Headquarters
Pulse Secure LLC
2700 Zanker Rd. Suite 200
San Jose, CA 95134
www.pulsesecure.net
Copyright 2017 Pulse Secure, LLC. All rights reserved. Pulse Secure and the Pulse Secure logo are registered
trademarks or Pulse Secure, LLC. All trademarks, service marks, registered marks, or registered service marks are the
property of their respective owners. Pulse Secure assumes no responsibility for any inaccuracies in this document.
Pulse Secure reserves the right to change, modify, transfer, or otherwise revise this publication without notice.